b'UNITED STATES GOVERNMENT\nNational Labor Relations Board\nOffice of Inspector General\n\n\n\n\nSafeguarding Social Security Numbers\n\n\n               Report No. OIG-AMR-48-05-05\n\n\n\n\n                                             August 2005\n\x0cINSPECTOR GENERAL\n\n\n\n\n      NATIONAL LABOR RELATIONS BOARD\n                       WASHINGTON, DC 20570\n\nAugust 31, 2005\n\nI hereby submit an audit on Safeguarding Social Security Numbers, Report No.\nOIG-AMR-48-05-05. This audit was conducted to assess the adequacy of\ncontrols at the National Labor Relations Board (NLRB or Agency) over the\naccess to, disclosure of, and use of Social Security Numbers (SSN) by external\nentities. This audit includes SSNs of Agency employees, vendors, and those\ncollected by program offices for case processing purposes.\n\nThe SSN was created in 1936 as a means of tracking workers\' earnings and\neligibility for Social Security benefits. Over the years, the SSN has become a de\nfacto national identifier used by Federal agencies. While a number of laws and\nregulations require the use of SSNs for various Federal programs, they\ngenerally impose limitations on how they can be used. The Freedom of\nInformation Act (FOIA) of 1966, the Privacy Act of 1974 (Privacy Act), and the\nSocial Security Act Amendments of 1990 generally govern disclosure and use of\nSSNs. Other Federal laws lay out a framework for Federal agencies to follow\nwhen they establish information security programs that protect sensitive\npersonal information, such as SSNs. Because the increased use of the SSN as\na national identifier provides a motive for unscrupulous individuals to acquire\na SSN and use it for illegal purposes, Federal agencies have the responsibility\nto limit the risk of unauthorized disclosure of SSNs.\n\nThe importance of security over SSNs is illustrated by recent events such as a\nsecurity breach at the Federal Deposit Insurance Corporation (FDIC). On June\n18, 2005, CNN reported that the FDIC, which insures many of the nation\'s\nbanks, alerted 6,000 current and former employees that personal information\nmay have been released and that some individuals could be the victims of\nidentity theft. CNN reported that a letter to FDIC employees said that the\nbreach included names, birth dates, and SSNs. The letter also stated that in a\nsmall number of cases the information is known to have been used to obtain\nfraudulent loans from a credit union.\n\x0cThe Agency uses SSNs because its use is required by Federal laws and\nregulations to identify employees and vendors. Additionally, Regional Offices\ncollect SSNs to help locate parties in unfair labor practice cases and to use in\ncases in which backpay is a potential remedy.\n\nGenerally, the Agency had adequate controls over SSNs in the FOIA process.\nSSNs were not included in affidavits, which would protect the individual\'s\nprivacy in judicial proceedings. Three of the four Regional Offices visited\nadequately secured employee related documents. Also, workday physical\ninspections of the Regional Offices visited, Security Branch, Office of Employee\nDevelopment, and Procurement and Facilities Branch did not find any\ninstances of unsafeguarded SSNs. We did observe, however, a few instances at\nHeadquarters in which documents containing personal information, including\nSSNs, were left in an unsecured manner while the employees in custody were\naway from their work area.\n\nWe determined that improvements were needed to comply with the Privacy Act.\nThe Agency used forms to collect SSNs that did not have the disclosure\nrequired by the Privacy Act. One Regional Office did not maintain some\npersonnel records in accordance with Federal regulations or an Agency Privacy\nAct System of Records notice. The Agency has not published a system of\nrecords notice related to Regional Office case files.\n\nWe made five recommendations to the Records Management Section Chief, who\nis also the Agency\'s Privacy Act Officer. These recommendations were generally\nto revise forms that do not comply with the Privacy Act requirements regarding\nthe collection of SSNs, inform Regional Offices about the Privacy Act disclosure\nrequirements, update non-NLRB forms provided in the NLRB Web Forms\nLibrary, remind employees about maintaining various documents containing\nSSNs in accordance with Agency policies, and coordinate with Agency\nmanagement to publish a Privacy Act System of Records Notice for the Case\nActivity Tracking System and other Regional Office files.\n\nAn exit conference was held on July 28, 2005, with representatives of the\nDivision of Administration and the Division of Operations-Management. A\ndraft report was sent to the Records Management Section Chief on July 29,\n2005, for review and comment. The Chiefs response to the draft report had no\ncomments with respect to the findings, agreed with the recommendations, and\nindicated planned corrective actions. The response, dated August 30, 2005, is\nincluded as a n appendix to this report.\n\n\n\n                                       ne E. Altenhofen\n                                     Inspector General\n\x0c                                    TABLE OF CONTENTS\n\nBACKGROUND ...................................................................................1\n\nOBJECTIVES, SCOPE, AND METHODOLOGY .....................................2\n\nFINDINGS...........................................................................................3\n\nCOLLECTION OF SSNs .......................................................................3\n\n       NLRB Forms...............................................................................3\n       Non-NLRB Forms .......................................................................5\n\nAFFIDAVITS AND EXHIBITS ...............................................................5\n\nACCESS TO EMPLOYEE RECORDS ....................................................6\n\nPHYSICAL INSPECTION ......................................................................6\n\nTRAINING FORMS ..............................................................................7\n\nPRIVACY ACT SYSTEMS OF RECORD NOTICE ...................................7\n\nAUDIT FOLLOW-UP ............................................................................8\n\nRECOMMENDATIONS ........................................................................8\n\nATTACHMENT \xe2\x80\x93 Universe of Transactions Available for Testing .........10\n\nAPPENDIX\n\n     Memorandum from the Chief, Records Management Section / Privacy Act\n     Officer, Comments on Draft Audit Report - "Safeguarding Social Security\n     Numbers" (OIG-AMR-48), dated August 30, 2005\n\x0c                                BACKGROUND\n\nThe National Labor Relations Board (NLRB or Agency) administers the principal\nlabor relations law of the United States, the National Labor Relations Act\n(NLRA) of 1935, as amended. The NLRA is generally applied to all enterprises\nengaged in interstate commerce, including the United States Postal Service, but\nexcluding other governmental entities as well as the railroad and airline\nindustries. The Fiscal Year (FY) 2005 appropriation authorizes 1,865 full-time\nequivalents that are located at Headquarters, 51 field offices throughout the\ncountry, and 3 satellite offices for Administrative Law Judges. NLRB received\nan appropriation of $251,875,000 for FY 2005, less an across-the-board\nrescission of .8 percent, leaving a net spending ceiling of $249,860,000.\n\nThe Social Security number (SSN) was created in 1936 as a means of tracking\nworkers\' earnings and eligibility for Social Security benefits. Over the years,\nthe SSN has become a de facto national identifier used by Federal agencies.\nWhile a number of laws and regulations require the use of SSNs for various\nFederal programs, they generally impose limitations on how they can be used.\nThe Freedom of Information Act (FOIA) of 1966, the Privacy Act of 1974 (Privacy\nAct), and the Social Security Act Amendments of 1990 generally govern\ndisclosure and use of SSNs. Other Federal laws lay out a framework for\nFederal agencies to follow when they establish information security programs\nthat protect sensitive personal information, such as SSNs.\n\nBecause the increased use of the SSN as a national identifier provides a motive\nfor unscrupulous individuals to acquire a SSN and use it for illegal purposes,\nFederal agencies have the responsibility to limit the risk of unauthorized\ndisclosure of SSNs. In 2003, the Social Security Administration (SSA) Office of\nInspector General (OIG) coordinated an audit among 15 agencies that are\nmembers of the President\'s Council on Integrity and Efficiency. The SSA OIG\nreported that most of the reporting agencies had inadequate controls over\naccess to SSNs maintained by the agencies.\n\nThe NLRB collects SSNs in many areas of its business. Executive Order 9397,\nNumbering System for Federal Accounts Relating to Individual Persons, dated\nNovember 22, 1943, states that Federal agencies shall use SSNs when\nidentifying individuals. Vendor taxpayer identification numbers, which may\ninclude SSNs, are collected in accordance with the Debt Collection\nImprovement Act of 1996. Additionally, Regional Offices collect SSNs to help\nlocate parties in unfair labor practice cases and to use in cases in which\nbackpay is a potential remedy.\n\n\n\n\n                                       1\n\x0c                OBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to assess the adequacy of the Agency\'s controls\nover the access to, disclosure of, and use of SSNs by external entities. This\naudit included SSNs of Agency employees, vendors, and those collected by\nprogram offices for case processing purposes. Our scope included transactions\ninvolving SSNs at the Agency in calendar year 2004.\n\nWe reviewed laws and regulations relevant to safeguarding SSNs, including the\nPrivacy Act and FOIA. We reviewed the Agency\xe2\x80\x99s Administrative Policy and\nProcedures Manual (APPM) to identify procedures for protecting the records of\nindividuals. We reviewed the Agency\'s Privacy Act Systems of Records Notices\nto determine our testing universe. We reviewed the NLRB Casehandling\nManual and Division of Operations-Management (Operations-Management)\nmemoranda for guidance regarding the handling of SSNs during Agency\nproceedings.\n\nWe interviewed staff in Human Resources Branch (HRB), Security Branch\n(Security), Procurement and Facilities Branch (PFB), Finance Branch (Finance),\nOffice of Equal Employment Opportunity (OEEO) and the Office of Employee\nDevelopment (OED) to identify and gain an understanding of controls over\nSSNs. We evaluated the identified controls. We obtained a list of forms used\nby the Agency to collect SSNs and determined whether the forms complied with\nthe Privacy Act.\n\nWe interviewed employees in the Division of Advice (Advice), Office of Appeals\n(Appeals), Office of Executive Secretary (OES), and the four Regional Offices\nvisited to learn about how FOIA requests are processed. We selected a\nstatistical sample of 25 FOIA requests in Advice and judgmental samples of 25\nFOIA requests in Appeals, OES, and the four Regional Offices visited and\ndetermined whether documents containing SSNs were released. The universe\nof FOIA requests is shown as an attachment to this report.\n\nFor each Regional Office visited, we interviewed employees to learn about\ncontrols over documents containing SSNs. We evaluated the controls over\nemployee and case processing information. We selected judgmental samples of\n25 unfair labor practice cases (C cases) in compliance and 30 C cases in which\neither a complaint was issued or an unlawful discharge was alleged and tested\nwhether documents that could become public contained SSNs. The universe of\nthese C cases is shown as an attachment to this report.\n\nThis audit was performed in accordance with generally accepted government\nauditing standards during the period of March 2005 through July 2005 at\nNLRB Headquarters in Washington, D.C. and the following Regional Offices:\nRegion 8 \xe2\x80\x93 Cleveland, Region 18 \xe2\x80\x93 Minneapolis, Region 20 \xe2\x80\x93 San Francisco, and\nRegion 22 \xe2\x80\x93 Newark.\n\n\n                                       2\n\x0c                                   FINDINGS\n\nGenerally, the Agency had adequate controls over SSNs in the FOIA process.\nSSNs were not included in affidavits, which would protect the individual\'s\nprivacy in judicial proceedings. Three of the four Regional Offices visited\nadequately secured employee related documents. Also, workday physical\ninspections of the Regional Offices visited, Security, OED, and PFB did not find\nany instances of unsafeguarded SSNs. We did observe a few instances at\nHeadquarters in which documents containing personal information, including\nSSNs, were left in an unsecured manner while the employees in custody were\naway from their work area.\n\nWe determined that improvements were needed to comply with the Privacy Act.\nThe Agency used forms to collect SSNs that did not have the disclosure\nrequired by the Privacy Act. One Regional Office did not maintain some\npersonnel records in accordance with Federal regulations or an Agency Privacy\nAct System of Records notice. The Agency has not published a system of\nrecords notice related to Regional Office case files.\n\n\nCOLLECTION OF SSNs\n\nSection 7(b) of the Privacy Act states that any Federal, state or local\ngovernment agency that requests an individual to disclose an SSN shall inform\nthat individual whether the disclosure is mandatory or voluntary, by what\nstatutory or other authority such a number is solicited, and what uses will be\nmade of it. The Government Accountability Office, formerly known as the\nGeneral Accounting Office, noted in its report Government Benefits from SSN\nUse but Could Provide Better Safeguards that this section applies to all agencies\nand does not limit the coverage to agencies maintaining a system of records.\n\nNLRB Forms\n\nIn the Agency\'s Web Forms Library on the NLRB Intranet, 178 NLRB forms are\nlisted. Eight forms collect an individual\'s SSN. As shown in the following\ntable, the eight forms did not completely provide the required information from\nthe Privacy Act, although some forms contained some of the required\ninformation or had information that was not specific to providing an SSN.\n\n\n\n\n                                       3\n\x0c                Disclosures on NLRB Forms Collecting SSNs\n\n                                 Providing       Authority    Use\n                                  SSN is             for       of    Complies\nNLRB Form                        Mandatory       Collection   SSN    With Act\nNLRB-916 Backpay Claimant\n                                     No             No         No       No\nInformation\nNLRB-3010 Travel Order               No             No         No       No\nNLRB-3065 NLRB Request\n                                     No             No         No       No\nfor Personnel Data\nNLRB-4180 Authorization to\nSSA to Furnish Employment            Yes            No        Yes       No\nand Earnings Information\nNLRB-4260 NLRB Annual\n                                     No             No         No       No\nTravel Order\nNLRB-4312 NLRB\n                                     No             No         No       No\nComputation of Backpay\nNLRB-5411 Employee\nAssistance Program Lifestyle         No             No         No       No\nHistory\nNLRB-5493 ACH Vendor /\nMiscellaneous Payment                Yes            Yes        No       No\nEnrollment Form\n\nTwo of the eight forms, NLRB-916, Backpay Claimant Information and NLRB-\n4180, Authorization to Social Security Administration to Furnish Employment\nand Earnings Information, were used to collect information on discriminatees.\nThe NLRB Casehandling Manual states that these forms should be sent to all\nidentified discriminatees when the Regional Office issues a complaint or\nadministratively determines that a charge has merit. Neither the forms nor the\ncorrespondence sent by the Regional Offices with the forms included the\ninformation regarding SSNs required by the Privacy Act. In addition, Region 18\nand Region 22 sent forms developed by the Regional Office to discriminatees\nthat did not contain a Privacy Act Notice about collecting SSNs.\n\nA form not in the Web Forms Library, NLRB-4858, Complaint of Employment\nDiscrimination against the NLRB, is used by OEEO to record the filing of a\nformal written complaint of employment discrimination against the NLRB. This\nform contains a Privacy Act Notice, but did not contain information related to\nthe collection of an SSN. Staff in OEEO said that if information relating to SSN\ncollection is required, revisions to the form would be considered.\n\n\n\n\n                                       4\n\x0cNon-NLRB Forms\n\nThe NLRB Web Forms Library contains 24 forms that are from sources other\nthan the NLRB, 8 of which collect SSNs. Three of the eight forms that collect\nSSNs do not contain information required by the Privacy Act regarding the\ncollection of SSNs.\n\n   \xe2\x80\xa2   The Standard Form (SF) 182, Request, Authorization, Agreement and\n       Certification of Training, is listed in the Web Forms Library as a single-\n       page document. The hard copy form contains the required notice.\n\n   \xe2\x80\xa2   The Optional Form 612, Optional Application for Federal Employment, is\n       a two-page document in the Web Forms Library. A copy of the form\n       obtained from the Office of Personnel Management (OPM) website\n       contains a third page containing the required information.\n\n   \xe2\x80\xa2   The SF 52, Request for Personnel Action, does not contain the required\n       information. Neither a copy of the form obtained from the OPM website\n       nor the hard copy form contained the required information.\n\nThe forms provided in the Web Forms Library were incomplete. These forms\nare available electronically to provide the user with the convenience of being\nable to fill out the form electronically.\n\n\nAFFIDAVITS AND EXHIBITS\n\nOM Memorandum 04-16, Claimants\' Social Security Numbers, dated December\n24, 2003, states that the Regional Offices should ensure that claimants\' SSNs\nare not included on any document that may become public unless required.\nDocuments identified include affidavits, proofs of claim and compliance\nspecifications, as well as any attachments. OM Memorandum 05-57, Report of\nFY 2005 Quality Committee, dated April 20, 2005, noted that SSNs should not\nbe included in an affidavit because of privacy concerns.\n\nSSNs were not included in affidavits in any of the four Regional Offices visited.\nSSNs were included in exhibits to affidavits in three of the four Regional Offices\nvisited. In Region 18 and Region 20, a significant number of cases had\naffidavits with exhibits containing SSNs. Documents attached as exhibits to\naffidavits include pay stubs, employee applications, and lists of employees.\nThe cause of the affidavit exhibits containing SSNs is their submission by the\naffiant, not the action of the Agency. Operations-Management stated that\nSSNs could be redacted on the affidavit exhibits if not necessary.\n\n\n\n\n                                         5\n\x0cACCESS TO EMPLOYEE RECORDS\n\nSection 5 CFR 293.106, Safeguarding Information about Individuals, states\nthat personnel records must be stored in metal filing cabinets that are locked\nwhen the records are not in use or in a secured room. APPM Chapter REC-2,\nRecords Management Program, dated May 12, 2005, states that offices\ngeographically separated from Headquarters may maintain unofficial personnel\nfiles, which must be maintained in a secure, confidential manner. In addition,\nPrivacy Act System of Records Notice NLRB-10, Payroll/Personnel Records,\nstates that the records should be maintained behind locked doors.\n\nEmployee records were generally maintained in locked filing cabinets in\naccordance with the regulations in the four Regional Offices visited. Some\npersonnel records in Region 8 were not properly secured. The Region 8 time\nand attendance records, which contain SSNs, were maintained in an unlocked\nfile cabinet in an unlocked office.\n\n\nPHYSICAL INSPECTION\n\nWorkday physical inspections of the Regional Offices visited, Security, OED,\nand PFB did not find any instances of unsafeguarded SSNs. The following\ninadequacies were found in the other offices tested:\n\n   \xe2\x80\xa2   A copy of an SF 50, Notification of Personal Action, was left in the stack\n       of papers to be recycled instead of being placed in a burn bag in HRB.\n       Staff in HRB stated that the document should have been placed in the\n       burn bag and that the employee was informed to do that in the future.\n\n   \xe2\x80\xa2   On two occasions, copies of the NLRB-5493, ACH Vendor/Miscellaneous\n       Payment Enrollment Form, were left unattended on the receptionist\'s\n       desk in Finance. On one occasion, the document was partially obscured\n       under another paper, but the document was in plain sight on the other\n       occasion. The NLRB-5493 not only contains the Taxpayer Identification\n       Number (either an SSN or an Employer Identification number), but also\n       includes the vendor\'s banking information. The Finance Branch Chief\n       noted that the employee who occupied the workspace was on vacation\n       and added that forms are left at that desk for action by Finance.\n\n   \xe2\x80\xa2   A stack of SF 182s, Request, Authorization, Agreement and Certification\n       of Training, was left on a desk in Finance while the employee was not at\n       the desk. The items were left with the SSNs in plain sight and accessible\n       to anyone who walked past. The Finance Branch Chief noted that\n       because of the volume of documents containing SSNs that Finance\n       handled, finding forms on an employee\'s desk is likely at any time.\n\n\n                                         6\n\x0c   \xe2\x80\xa2   A completed Travel Voucher was left on an unattended desk in\n       Operations-Management. The employee\'s SSN was in plain view.\n       Additionally, completed leave slips were left in plain view in a mailbox in\n       a common area by a door leading to the main hallway. The leave slips\n       have a space for SSNs, but the employee did not place the SSN on the\n       form. Operations-Management noted that a policy for employees not\n       putting the SSN on a leave slip does not exist, but added that such a\n       policy may be considered.\n\n   \xe2\x80\xa2   A folder containing affirmative employment files, which contain SSNs,\n       was left on the credenza of the OEEO employee who maintains the files\n       while the employee was out of the office. Staff in OEEO stated that the\n       records should be maintained in a locked cabinet while the employee was\n       out of the office.\n\n\nTRAINING FORMS\n\nOED uses the SF 182 for the administration of the Federal Training Program at\nthe Agency. OED stated that the SSN, which is required on the form, is sent to\na training provider when the request is used as an authorization document.\nOED noted that this was not an issue when the multi-copy paper form was\nused, because the SSN was not provided on the vendor copy of the form.\n\nAs a result, SSNs were provided to vendors. In most cases, providing the SSN\nto the vendor was unnecessary because the vendor only used either the\nemployee\'s SSN or the last four digits as an identifier on the invoice in 2 of 21\ntraining forms tested. The OED Director stated during our review that a\nprocedure has been implemented to redact the employee\'s SSN on copies of SF\n182s sent to vendors.\n\n\nPRIVACY ACT SYSTEMS OF RECORD NOTICE\n\nThe Privacy Act defines "system of records" as "a group of records under the\ncontrol of any agency from which information is retrieved by the name of the\nindividual or by some identifying number, symbol, or other identifying\nparticular assigned to the individual." The act further states that each agency\nthat maintains a system of records shall publish a notice in the Federal\nRegister establishing the system of records. The act also created criminal\npenalties for officers or employees of an agency who willfully maintain a system\nof records without meeting the notice requirements.\n\n\n\n\n                                         7\n\x0cThe OIG issued OIG-IA-04-01, Top 10 Management Challenges on December\n17, 2003, which identified complying with Privacy Act system notice\nrequirements as a serious management challenge. The lack of a Privacy Act\nsystem notice was again identified in OIG-IA-05-01, Top Management and\nPerformance Challenges, issued on October 14, 2004.\n\nThe Regional Offices visited all maintained files for each discriminatee in\ncompliance cases involving backpay. The files in each Regional Office were\nmaintained by case name, then by the discriminatee name. Because the\ndiscriminatee files are retrievable by a personal identifier, they represent a de\nfacto system of records as defined by the Privacy Act. The Agency has not\ncreated a System of Records Notice for these records. The Agency had drafted\na System of Records Notice NLRB-21, "Case Activity Tracking System and\nAssociated Regional Office Files" in September 2004. The draft System of\nRecords Notice includes files maintained in compliance cases. The System of\nRecords Notice has not been published.\n\n\nAUDIT FOLLOW-UP\n\nIn Inspection Report No. OIG-INS-25-03-03, Review of Agency Procedures for\nControl of Identification Badges, dated March 12, 2003, we noted that the\nAgency used the last four digits of employees\' SSN as an identifier on\nidentification badges (IDs). The Security Branch Chief stated that a new\nnumbering system would be developed and used for new badges beginning\nMarch 1, 2003.\n\nOur review of IDs issued subsequent to March 2003 indicated that the last four\ndigits of an employee\'s SSN are no longer used as the ID number in new IDs.\nThe Security Branch Chief also noted that a standard credential would be\nimplemented for Government employees in the future, and only an employee\nnumber would be maintained on the credential.\n\n\n                             RECOMMENDATIONS\n\nWe recommend that the Records Management Section Chief/Privacy Act\nOfficer:\n\n   1. Revise Agency forms that do not comply with the Privacy Act\n      requirements regarding the collection of SSNs.\n\n   2. Inform Regional Offices about the Privacy Act requirement to disclose the\n      authority for collecting SSNs, whether providing the SSN is mandatory,\n      and the uses for the SSN.\n\n\n\n                                        8\n\x0c3. Update non-NLRB forms provided in the NLRB Web Forms Library so\n   that they are complete and current.\n\n4. Remind employees about the importance of maintaining various\n   documents containing SSNs in accordance with Agency policies.\n\n5. Coordinate with Agency management to publish a Privacy Act System of\n   Records Notice for the Case Activity Tracking System and other Regional\n   Office files.\n\n\n\n\n                                   9\n\x0c                                                 ATTACHMENT\n\n    Universe of Transactions Available for Testing\n\n\n                   FOIA Requests\n                Processed in FY 2004\n\n\n                     Cases Processed     Sample Size\nAdvice                     763              25\nAppeals                     47              25\nOES                         81              25\nRegion 8                   141              25\nRegion 18                  116              25\nRegion 20                  104              25\nRegion 22                  116              25\n\n\n                  Compliance Cases\n                 Calendar Year 2004\n\n\n                     Cases Processed     Sample Size\nRegion   8                 110              25\nRegion   18                 75              25\nRegion   20                 81              25\nRegion   22                 54              25\n\n\n   Complaint Issued or Unlawful Discharge Alleged\n                Calendar Year 2004\n\n\n                     Cases Processed     Sample Size\nRegion   8                 187              30\nRegion   18                 88              30\nRegion   20                109              30\nRegion   22                144              30\n\n\n\n\n                         10\n\x0cAPPENDIX\n\x0c             ii\n\n\n\n           UNITED STATES GOVERNMENT\n           National Labor Relations Board\n           Division of Administration\n           Memorandum\n\n\n\n\nTO:        Jane E. Altenhofen\n           Ins~ectorGeneral\n\nFROM:      Tommie Gregg, Sr.\n           Chief, Records M\n\nSUBJECT:   Comments on Draft Audit Report - "Safeguarding Social Security Numbers "\n           (OIG-AMR-48)\n\n\n           This is in response to your memorandum dated July 29,2005, in which you requested\n           comments on the draft audit report on the safeguarding of social security numbers. In\n           your memo, you requested that we also indicate our agreement or disagreement with each\n           of the report\'s findings and recommendations.\n\n           We have reviewed the report and have no comments with respect to the findings of the\n           report.\n\n           Our comments regarding the report\'s recommendations are as follows:\n\n                  Revise Agency forms that do not comply with the Privacy Act requirements\n                  regarding collection of SSNs.\n\n                  We agree. We will take appropriate action to ensure that all NLRB forms hlly\n                  comply with requirements of the Privacy Act.\n\n                  Inform Regional Offices about the Privacy Act requirement to disclose the\n                  authority for collecting SSNs, whether providing the SSN is mandatory, and the\n                  uses for the SSN.\n\n                  We agree. We will develop Privacy Act guidance and post it on the Agency\'s\n                  intranet so that all employees are informed about their rights and responsibilities for\n                  collecting and safeguarding personal identifiers, such as social security numbers.\n\n                  Update non-NLRB forms provided in the NLRB Web Forms Library so that\n                  they are complete and current.\n\n                  We agree. We have begun adding Privacy Act Statements to relevant non-NLRB\n                  forms listed in the NLRB Web Forms Library.\n\x0cPage Two\nJane Altenhofen\n\n\n\n   Remind employees about the importance of maintaining various documents\n   containing SSNs in accordance with Agency policies.\n\n   OM-04- 16, dtd December 24,2003, addresses safeguarding of social security\n   numbers; however, we will develop additional guidance and post it on the Agency\'s\n   intranet so that all employees are informed about their rights and responsibilities for\n   collecting, maintaining and safeguarding documents containing personal identifiers,\n   such as social security numbers.\n\n   Coordinate with Agency management to publish a Privacy Act System of\n   Records Notice for the Case Activity Tracking System and other Regional Office\n   files.\n\n   We are in the process of finalizing draft Privacy Act System of Records Notice for\n   the Case Activity Tracking System (CATS) and other Regional Office files.\n\nThank you for the opportunity to comment on the draft report. If you have any questions,\nplease contact me on 273-2833.\n\n\ncc: The Board\n    General Counsel\n    Director of Administration\n    Associate General Counsel, Operations-Management\n    Chief, Library and Administrative Services Branch\n\x0c'